AWS CloudFormation，堆栈更新未修改我的 EC2 配置

Question

我正在尝试确保我的 CloudFormation 创建一个可以使用 Update 或 ChangeSets 进行修改的堆栈。我意识到我必须使用 cfn-hup 和 init 脚本来实现这一点，而且我所拥有的似乎可以更新我的 CloudFormation 文件中的 SecurityGroups，但它根本不会改变实际的网络服务器基础架构。我以为我可以添加/删除软件包或更新配置文件，这些更改会得到反映。

这不可能吗？ （我使用的是 Amazon Linux 2）

这是我的文件。我觉得这应该是更新 nginx 配置文件，如果它改变了？

据我所知，使用 services.sysvinit.nginx.files 阅读 AWS 文档后，应该跟踪列出的我的 nginx 配置，如果检测到更改，则在迁移后重新加载 nginx。它还应该使用对我拥有的 server {} 块的任何新更改来更新 nginx 文件。

AWSTemplateFormatVersion: "2010-09-09"

Parameters:

  VPC:
    Description: "ID of VPC"
    Type: String

  AMI:
    Description: "ID of base image"
    Type: String

  KeyName:
    Description: "Name of an existing EC2 KeyPair to enable SSH access to the instance"
    Type: "AWS::EC2::KeyPair::KeyName"
    ConstraintDescription: "Must be the name of an existing EC2 KeyPair."

  InstanceType:
    Description: "Amazon Instance Type"
    Default: t2.micro
    Type: String

  SSHLocation:
    Description: "IP address range that can be used to SSH to EC2 Instance"
    Type: String
    MinLength: 9
    MaxLength: 18
    Default: 0.0.0.0/0

Resources:

  ApiEc2Instance:
    Type: AWS::EC2::Instance
    Metadata:
      AWS::CloudFormation::Init:
        configSets:
          InstallAndRun:
            - Configure
            - Install

        # install packages and setup files
        Install:
          packages:
            yum:
              php: []
              php-fpm: []
              php-mbstring: []
              php-bcmath: []
              php-pdo: []
              nginx: []

          files:
            /etc/nginx/conf.d/default.conf:
              content: !Sub |
                server {
                  listen 80;

                  root /var/www/html;

                  index index.php index.html index.htm;

                  gzip on;
                  gzip_vary off;
                  gzip_proxied static;
                  gzip_comp_level 6;
                  gzip_buffers 16 8k;
                  gzip_http_version 1.1;
                  gzip_types text/plain application/json;

                  charset utf-8;

                  location / {
                      try_files $uri $uri/ /index.php?$query_string;
                  }

                  location ~ \.php$ {
                      try_files $uri /index.php =404;
                      fastcgi_split_path_info ^(.+\.php)(/.+)$;
                      fastcgi_pass unix:/var/run/php-fpm/www.sock;
                      fastcgi_index index.php;
                      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                      include fastcgi_params;
                  }
                }

            /etc/php.d/default.ini:
              content: !Sub |
                display_errors = On

            /etc/cfn/cfn-hup.conf:
              content: !Sub |
                [main]
                stack=${AWS::StackId}
                region=${AWS::Region}
                verbose=1
                interval=5
              mode: 000400
              owner: root
              group: root

            /etc/cfn/hooks.d/cfn-auto-reloader.conf:
              content: !Sub |
                [cfn-auto-reloader-hook]
                triggers=post.update
                path=Resources.ApiEc2Instance.Metadata.AWS::CloudFormation::Init
                action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource ApiEc2Instance --configsets InstallAndRun --region ${AWS::Region}
                runas=root
              mode: 000400
              owner: root
              group: root

          services:
            sysvinit:
              nginx:
                enabled: true
                ensureRunning: true
                files:
                  - /etc/nginx/conf.d/default.conf
              cfn-hup:
                enabled: true
                ensureRunning: true
                files:
                  - /etc/cfn/cfn-hup.conf
                  - /etc/cfn/hooks.d/cfn-auto-reloader.conf

        # configure any separate execution scripts
        Configure:
          commands:
            01_update_php:
              command: "amazon-linux-extras enable php7.4 nginx1 ansible2"
              test: "! grep -Fxq '[amzn2extra-php7.4]' /etc/yum.repos.d/amzn2-extras.repo"

    Properties:
      ImageId: !Ref "AMI"
      InstanceType: !Ref "InstanceType"
      SecurityGroupIds:
        - !Ref ApiSSHSecurityGroup
        - !Ref ApiWebSecurityGroup
      KeyName: !Ref KeyName
      Tags:
        - Key: Name
          Value: "API Sandbox"
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash -xe
          yum update -y aws-cfn-bootstrap

          # Install the files and packages from the metadata
          /opt/aws/bin/cfn-init -v \
            --stack ${AWS::StackName} \
            --resource ApiEc2Instance \
            --configsets InstallAndRun \
            --region ${AWS::Region}

          # Signal the status from cfn-init
          /opt/aws/bin/cfn-signal -e $? \
            --stack ${AWS::StackName} \
            --resource ApiEc2Instance \
            --region ${AWS::Region}

          #
          service nginx reload
    CreationPolicy:
      ResourceSignal:
        Timeout: PT5M

  ApiSSHSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: API SSH Admins
      GroupDescription: Enable public access via port 22
      VpcId: !Ref "VPC"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref "SSHLocation"

  ApiWebSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: API Public Web
      GroupDescription: Enable public web access via multiple ports
      VpcId: !Ref "VPC"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0

Answer 1

基于聊天讨论。

hup default 需要 15 分钟 刷新。因此，问题是由于这次没有等待，因为似乎 hup 失败或在 15 分钟内什么都不做。

可以使用interval 变量调整时间，如docs 所示。